Key Takeaways
- Over 1.8 million Remote Desktop Protocol (RDP) and 1.6 million Virtual Network Computing (VNC) servers are exposed to the internet worldwide.
- China hosts the largest share of exposed services (22 % of RDP, 70 % of VNC), followed by the United States (20 % RDP, 7 % VNC) and Germany (8 % RDP, 2 % VNC).
- Industry exposure: retail, services, and education lead RDP exposure; education, services, and healthcare dominate VNC exposure, with manufacturing, transportation, and utilities also significantly affected.
- Security gaps are widespread: 18 % of exposed RDP run end‑of‑life Windows, 42 % run Windows 10 (now end‑of‑support), >19 000 RDP servers remain vulnerable to BlueKeep, and nearly 60 000 VNC servers have authentication disabled—over 670 linked directly to OT/ICS panels.
- Hacktivist activity is intensifying; groups such as Z‑Pentest/Infrastructure Destruction Squad share scanning tools (e.g., TRK25 ADVANCED SCADA) that target RDP, VNC, Modbus, OPC and sell access to compromised SCADA systems.
- Traditional remote‑access methods (VPNs, jump hosts) extend network trust, rely on shared credentials, and create shadow pathways, worsening risk in cyber‑physical systems (CPS).
- Modern Secure Remote Access (SRA) – a control‑plane gateway that isolates sessions and delivers pixel‑based streams – is recommended to provide granular, auditable, and context‑aware access to OT assets.
- Continuous real‑time asset visibility is the foundation for effective SRA, enabling decisions based on live intelligence rather than static inventories.
Global Exposure of RDP and VNC Servers
Forescout’s analysis of Shodan data reveals that more than 1.8 million RDP servers and over 1.6 million VNC servers are currently reachable from the public internet. This massive attack surface spans every continent, with concentrations reflecting both economic activity and the prevalence of legacy remote‑access tools. The sheer volume of exposed services underscores how pervasive insecure remote connectivity has become in both enterprise and industrial settings.
Geographic Distribution of Exposed Services
China accounts for the largest portion of exposed systems, contributing 22 % of RDP and a striking 70 % of VNC servers. The United States follows with 20 % of RDP and 7 % of VNC exposure, while Germany holds 8 % of RDP and 2 % of VNC. These figures indicate that nations with large hosting ecosystems and significant industrial bases are also those most likely to inadvertently expose critical management interfaces.
Sector‑Specific Exposure Patterns
When mapped to industry via Autonomous System Numbers, retail, services, and education emerge as the top three sectors for RDP exposure, representing 32 %, 23 %, and 16 % respectively. For VNC, education leads at 28 %, followed by services (22 %) and healthcare (17 %). Manufacturing, transportation, and utilities also appear prominently, highlighting that operational technology environments are not insulated from the same remote‑access risks that plague traditional IT networks.
Legacy Systems and Known Vulnerabilities
A substantial proportion of the exposed RDP fleet runs outdated or unsupported Windows versions: 18 % are on end‑of‑life releases, and another 42 % sit on Windows 10, which recently reached end of support. More than 19 000 RDP servers remain susceptible to the critical BlueKeep flaw (CVE‑2019‑0708), while nearly 60 000 VNC servers have authentication disabled. Over 670 of these authentication‑free VNC instances are directly linked to OT/ICS control panels, creating a direct pathway to physical processes.
Hacktivist Tool Sharing and Monetization
Threat intelligence shows hacktivist groups increasingly publishing and selling tools that automate the discovery of exposed remote‑access services. The Infrastructure Destruction Squad (IDS), part of the Z‑Pentest alliance, released the TRK25 ADVANCED SCADA scanner on Telegram, complete with source code. The tool probes RDP, VNC, Modbus, and OPC ports, captures screenshots, and includes hard‑coded IP ranges targeting multiple countries. Beyond scanning, IDS has advertised ransomware builders and offered access to compromised SCADA systems, reflecting an evolving “initial‑access broker” model within OT threat landscapes.
Real‑World Exploits Attributed to Hacktivist Groups
VIDELABS documented concrete examples of IDS activity: a video purportedly showing a compromised groundwater pumping station in Israel, a VNC screenshot of a Turkish control system, and a posted offer to sell access to an exposed SCADA system in Czechia. These incidents illustrate how readily available scanning tools translate into tangible intrusions, often with the goal of disruption, demonstration, or financial gain through access sales.
Inadequacy of Traditional Remote‑Access Approaches
Common practices such as VPNs and jump hosts tend to extend implicit network trust rather than enforce fine‑grained policies. They frequently rely on shared or persistent credentials, lack session‑level visibility, and create undocumented “shadow” pathways established by OEMs, contractors, or ad‑hoc arrangements. In cyber‑physical environments, these weaknesses amplify risk because a single compromised credential can grant broad, persistent control over both IT and OT assets.
Risks Amplified by Legacy Protocols and Limited Visibility
Many industrial systems rely on proprietary or legacy protocols never intended for internet exposure. When these protocols are misconfigured or left open, they become susceptible to unauthorized changes, disruption, and lateral movement. Moreover, limited session logging hampers governance; organizations often cannot answer who accessed a system, whether the access was authorized, or what actions were performed, weakening incident response and forensic capabilities.
The Need for Modern Secure Remote Access (SRA)
Vedere Labs argues that securing remote access in CPS requires a paradigm shift: access must be treated as a controlled operational workflow rather than a bare network connection. Modern SRA introduces a control plane that sits between users, networks, and assets, enforcing contextual policies, isolating sessions, and providing full audit trails. This approach mirrors the rigor applied to physical procedures on the plant floor, ensuring that every interaction is deliberate, verified, and reversible.
Implementation Foundations: Continuous Asset Visibility
Effective SRA begins with real‑time, comprehensive visibility into every asset on the network. Knowing what devices exist, where they reside, their current behavior, and their security posture enables access decisions grounded in live intelligence instead of static inventories or assumptions. Platforms that continuously discover, classify, and monitor OT and IT assets form the essential substrate upon which granular SRA policies can be built.
How an SRA Gateway Operates
A gateway such as Forescout’s recently launched SRA solution mediates each user‑to‑asset interaction. Rather than allowing direct protocol traffic (RDP, SSH, VNC, proprietary control traffic) to reach the asset, the gateway isolates the session and renders it as a secure, browser‑delivered image stream. Users see only pixels; the underlying protocols remain hidden, dramatically reducing the attack surface while preserving necessary functionality for monitoring, maintenance, and engineering tasks.
Conclusion: Addressing an Overlooked Danger
Despite the prevalence of exposed remote‑access services, many organizations treat these connections as benign, long‑standing arrangements. As highlighted by industry veterans, unsecured RDP or VNC links often sit unnoticed on networks, dismissed as “vendor X” or “trusted integrator” necessities. Yet these same links routinely appear in breach reports under labels like “unauthorized access” or “compromised credentials.” By adopting modern SRA—anchored in continuous visibility, session isolation, and rigorous policy enforcement—enterprises can close one of the most persistent and hazardous gaps in cyber‑physical security.